spiffe/cert/

parsing.rs

use crate::cert::errors::CertificateError;
use crate::cert::Certificate;
use x509_parser::certificate::X509Certificate;
use x509_parser::der_parser::oid::Oid;
use x509_parser::error::X509Error;
use x509_parser::extensions::ParsedExtension;
use x509_parser::nom::Err;
use x509_parser::nom::Err::Incomplete;

/// Takes a concatenated chain of DER encoded certificates and parses it
/// as a `Vec` of [`Certificate`].
pub(crate) fn to_certificate_vec(
    cert_chain_der: &[u8],
) -> Result<Vec<Certificate>, CertificateError> {
    let cert_der_blocks = asn1::from_der(cert_chain_der)?;

    let mut cert_chain = vec![];
    for block in cert_der_blocks.iter() {
        let cert_der = asn1::to_der(block)?;
        cert_chain.push(Certificate::from_der_bytes(cert_der));
    }
    Ok(cert_chain)
}

/// Try to parse the given DER-encoded slice of bytes as a X.509 certificate.
/// Returns a [`CertificateError`] if the the `der_bytes` is not DER-encoded or if
/// it cannot be parsed to a X.509 certificate.
pub(crate) fn parse_der_encoded_bytes_as_x509_certificate(
    der_bytes: &[u8],
) -> Result<X509Certificate<'_>, CertificateError> {
    let x509 = match x509_parser::parse_x509_certificate(der_bytes) {
        Ok(c) => c.1,
        Err(e) => {
            return Err(CertificateError::ParseX509Certificate(match e {
                Incomplete(_) => X509Error::InvalidCertificate,
                Err::Error(e) => e,
                Err::Failure(e) => e,
            }))
        }
    };
    Ok(x509)
}

// Returns the X.509 extension in the certificate the for the provided OID.
pub(crate) fn get_x509_extension<'a>(
    cert: &'a X509Certificate<'_>,
    oid: Oid<'a>,
) -> Result<&'a ParsedExtension<'a>, CertificateError> {
    let parsed_extension = match cert.tbs_certificate.get_extension_unique(&oid)? {
        None => return Err(CertificateError::MissingX509Extension(oid.to_string())),
        Some(s) => s.parsed_extension(),
    };
    Ok(parsed_extension)
}